On this page ...

On this page I'll give you a brief introduction to the types of SmartCards available. Note that not ALL types are covered, the most commonly used cards are however. Most of these cards are used for getting access to buildings, access PC's, access services, activate satellite TV programs, make micro payements, even have access to GSM networks, etc. You will need a card reader to retrieve the data on a card and a card writer to write data to a card. Several types are available on the market, some are even integrated into a keyboard. Note: Read the disclaimer! This page is for information purposes only! Note: Do not even THINK about mailing me for any questions on how to hack certain systems, where to find keys, etc etc! These mails will be deleted without reading them!

Introduction

So what is a SmartCard?

A SmartCard is basically a creditcard sized card, holding one or more chips. These can be memory chips (usually a serial EEPROM) and/or CPU (for example a PIC or AVR CPU).

Besides the chip(s) and the plastic card itself, there is also a contact "area" where the outside world can contact the chips. This is either an, square or oval, area of 6 or 8 contacts, usually colored gold. The connections should comply to ISO-7816-2.

Note: Based on these connections one cannot determine the type of card!

Note: There are also contact-less SmartCards, we will not discuss any of these on this page.

Generic applications for a SmartCard are:

• PayPhone cards
• GSM SIM cards
• Banking cards (Debit cards)
• Credit cards
• Chip-Knip
• Identification
• etc.

There are basically two types of smartcards: the ones with only an EEPROM (memory) and the ones with a CPU (PIC or AVR) and EEPROM (little CPU and memory).

For more info on PIC's see the BASIC Stamp pages.

For most access applications a simple and cheap EEPROM-only card (so called MEMORY CARDS) is being used. These cards allow access to their memory without any problems. The most well known cards of this type are the GemPlus cards. Data on these cards can of course be encrypted by the application reading the card. Some of these cards have an application in the card's memory, which will be run by the hardware that is reading the card.

There where security plays a significant role, CPU and EEPROM cards (called CPU CARDS) are being used. These types are used for example for Banking Cards (Debit/Credit cards), GSM SIM cards, etc. These cards have a little application running on their CPU dealing with requests. Any information in memory can only be accessed using this application. The processor handle READ, WRITE and UPDATE of data. It could also be capable of encrypting and/or decrypting data stored in the EEPROM.

CPU Cards: Memory Access ONLY via the application on the CPU!

An example: accessing satellite digital-TV broadcasts (Pay-TV).

There are two types of transmission; so called FTA transmission (Free To Air) where no card is needed.
The other variant is Pay-TV for which you need to pay. When subscribing to such a service, you get a smartcard (usually of the type MOSC) allowing you to get access to the transmitted programs.

The Pay-TV variant is usually encoded (scrambled/encrypted) in a specific format like Irdeto, Seca, Seca-2, VIA-Access, etc. Your receiver will need to be able to decode this encoding. So if you want to view Seca transmission, your receiver will need to support Seca. Other receivers, for example an older Irdeto receiver, will not be able to decode this Seca signal. Some receivers have build-in hardware to do so, other receivers can be expanded using so called CAM's. This basically is an PCMCIA card with some intelligence onboard enabling the decoding of that particular encryption.

For viewing encoded transmissions your receiver will need so called "Keys". These Keys are stored on a smartcard and are being updated over air frequently. Meaning: the provider transmits the new keys, your receiver recognizes them as his and stores the new keys on the smartcard(s).

When you switch your receiver to an encrypted signal, the receiver will "ask" the smartcard for a key. If it cannot be found on the smartcard, the picture on your TV remains black or shows a message "Please Insert SmartCard".

Technical hardware details

Pinout

The connection area (either oval or square) is normally ISO 7816-1 or ISO 7816-2 compliant. According to these specifications, the pinout should be as shown below;

Pinout according ISO 7816-1 and 7816-2

The upper left corner is pin 1. Going down from there we see pins 1, 2, 3 and 4. On the right side, top to bottom, we see pins 5 to 8.

Most cards we present below are accoring to ISO 7816. This does not only specify the pinout, but also the position of the contacts. An alternative position is defined in the AFNOR specification.

ISO versus AFNOR contact positions

Note: Afnor contact positions are rarely used in common applications.

Tip: Over time, the contacts of a Smartcard can get pretty dirty. Use a pencil eraser to clean the contacts.

CPU cards - CPU type, Construction

Different CPU based cards are available out there, basically the type of PIC (processor - Peripheral Interface Controller) and size of the EEPROM (memory) defines the type of card. Simple cards like the Goldwafer cards use a MicroChip 16F84 PIC (see MicroChip website for details), more enhanced cards like the FunCard, use AVR PIC's by Atmel (see Atmel Website for more details). For use in satellite purposes (ie. decoding scrambled signals) any of these cards will do the job, provided you have files for them.

Construction

These cards are available in basically 3 types of assembly:

• HMD (Hole Mounted Device)
  This is an technique used when experimenting with PIC and EEPROM combinations which are not available yet, cheaper this way or hard to find. Relatively large components are mounted and soldered through holes on the PCB (card). These are more the "home made" SmartCards".
  
  
• SMD (Surface Mounted Device)
  This type of card is similar but uses smaller component which are soldered on PCB without the need for any holes.
  
  
• Integrated cards
  Here the PIC and EEPROM are embedded in the plastic of the card. Individual components cannot be identified by the eye. Usually these cards are created in mass production and are relatively cheap.

Component Mount Techniques

There seems to be a lot of confusion regarding on the size of the memory on Smart Cards. The reason for this confusion is the confusion between kilo BYTES and kilo BITS. The memory size is indicated in KiloBITs. This means that a 24C16 can hold 16 KiloBIT, which means 2 kiloBYTEs. A BYTE = 8 BITS.

In general, Smart Card types are easy to recognize. Most integrated cards have some kind of text on them to identify them. Incase it doesn't and you do know the type, then consider using a marker pen and write it on the plastic.

What can go wrong with SmartCards?

SmartCards are pretty sturdy but the contacts can get durty (use a pencile eraser to clean the contacts). This is a mechanical "failure".

There is also a number serious security riscs when using these cards. Below a summary of some of the riscs.

For all these actions, some insight knowledge, the right software and hardware, could do the trick!

WARNING: It is NOT the target of this page/website to explain you how to duplicate and/or tamper with these cards! Don't even ask for it! The summary below is just an extract of potential riscs for those who wish to introduce SmartCards for their systems! For those who do tamper with these cards: I highly recommend not doig this as it is most likely ILLEGAL! See also the disclaimer!

Cards can be cloned.

When considering this option, you might think of getting a fully charged pay-phone card and duplicate it's content on a cheap empty card over and over again. Or having a fully payed Pay TV card from your neighbour and duplicate it for watching Pay TV at home.

This also allows a holder of a duplicate GSM SIM card to for example evesdrop your calls, or even have you charged by using your mobile number for calling their relatives and friend abroad!

Cards can be modified.

So a user would be able to modify a Pay TV card allowing him to see everything he or she likes. They could also tamper with the value stored on a Pay-Phone card.

How to avoid

To avoid these potential security issues, you might want to maintain a log list. For example; a list that maintains all transactions of a debit-card. How much has been added, how much has be substractied, and apply the appropriate logic to identify tampering.

Additionally, the logic on the SmartCard can ask for a so called PIN (Personal Identification Number) before any information on the card can be accessed. This is still not very safe, but much safer than any solution not using a PIN-code.

Programming Cards

On this website you will find some examples of applications that can program a certain number of SmartCards.

• Editing a GSM SIM phonebook and messages with the MasterA
• Programming a GoldCard with the Millenium Programmer
• GoldCard and FunCard using CardMaster software (Infinity CM, ChipDrive, and the Mini Millenium)
• GoldCard and FunCard using Infinity USB software (Infinity USB)
• GoldCard and FunCard using MasterBurner software (MasterCRD, SC-Master Phoenix, MasterA, VX-Multi, VP-20, and Multiprog-XL)

Card Types

• Very old: the MultiMac card
• OSC (Original SmartCard) or MOSC (Modified Original SmartCard)
• GoldWafer, GoldCard, PICcard, SMDWafer, and BlueCard
• SilverWafer, SilverCard, Galaxy2, GreenCard, and PicCard II
• Jupiter 1, BlackCard and Jupiter 2 cards
• ATMELCard, FunCard (also FunCard 2, 3, 4, 5), Purple Galaxy, and Prussian (also Prussian2 and Prussian3)
• Other AVR cards (AT Mega, FunCard DIP, AVR-3, and SuperPIC Zen)
• GemPlus: Generic MicroProcessor Cards
  

Memory SmartCards:

• GEMPlus: Generic Memory Cards
• GEMPlus: Advanced Memory Cards

Card Type: MultiMac

Target: Satellite Pay TV

The MultiMac card is an golden oldie. Rarely used anymore. As far as I could find any info on the web; this card is only available as a HMD (Hole Mounted Device) card. It commonly comes with an MicroChip 16C622 PIC processor and a 24C64 EEPROM. A lot of editor applications seem to still support them, however: it's old.
Either go for a FunCard or a GoldCard.

MultiMac Card

Card type: (M)OSC

Target: Satellite Pay TV

(M)OSC is short for (Modified) Original Smart Card. Although these cards can be modified; I strongly recommend NOT doing so. You're better of experimenting with Goldcards or Funcards for example.

These are the cards the Pay TV providers did provide you. Some examples;

Some (M)OSC card examples

Most programmers are not capable of modifying these cards. Programmer like the MasterA models however are capable of modifying these.
Once more: I strongly recommend NOT modifying these cards!

Card Type: GoldCard

Target: Satellite Pay TV

Also known as PICCard, GoldCard, SlimCard, SlimCard II or SMD Wafer. GoldWafer\GoldCard refers to the integrated card type. A so called BlueCard is also a GoldWafer card. The difference is to be found in a larger EEPROM, offering 8 kiloBYTE.

All these cards have a PIC (Peripheral Interface Controller) processor (Usually a Microchip 16F84). These cards come with an 2Kb external eeprom (24C16).

GoldWafer examples

When looking at the SMD Wafer card (on the left) you can see 2 little chips. The large one on the left is the 16F84 PIC, the tiny one on the right is the 24C16 EEPROM. This is the (at the time of this writing) most common card. On all cards you will notice the 8 contacts-points. The 2 on the left most side (contacts 4 and 8) are not always available (on the SMD Wafer you will see that there is some tape put over these contacts). However, if they ARE available, then this is an indication that the eeprom is directly addressable, which means that you do not need the PIC to address the memory. Usually this feature is not used and some receivers tend not accept the card (specifically: CAM's) when using it - that's why there is a tape on the left card. GoldWafer cards come in many different looks. Different prints are used for commercial purposes I guess, but no matter what has been printed on them: they are the same.

As the number of Pay TV providers keeps growing and the encryption keys keep getting bigger, we do need more memory. There are some GoldWafer card out there that have more memory, for example the Bluecard (the most right one in the picture above) which combines a PIC 16F84 with an 24C64 EEPROM. This offers 8Kb of memory, 4 times the amount of memory an original GoldWafer offers.

Card Type: SilverCard

Target: Satellite Pay TV

Also known as: Galaxy2, GreenCard, GreenCard II, SilverWafer, SilverCard, and PicCard II.

The SilverCard is the successor to the GoldWafer cards. It uses a faster processor (PIC 16F876) and has a larger EEPROM (starting with the 24C64 - 8 KiloByte) offering more memory. In the image below you see (from left to right) the Piccard II in SMD, a GreenCard (holding 16 KiloByte of memory), the SilverCard and the GreenCard2 (holding 32 KiloByte).

Examples of the SilverCard

Card Type: Jupiter 1

Target: Satellite Pay TV

Jupiter 1 cards, also known as BlackCard, are not often used, this also implies that it will be very hard to find any files for these cards!
In the image below you will see the SMD version and the plastic integrated version.

Jupiter 1 cards

Like the FunCards, we will them see in the next paragraph, Jupiter 1 cards use also an Atmel processor, the 90S2343.

The Jupiter 2 card, also sold as a BlackCard II, is equipped with the Atmel 90S8535 processor and has an external EEPROM (8 KiloByte). Some of these cards come with an external connector allow you to do some logging. This card is used more often than the Jupiter 1 but still pretty rare.

Jupiter 2

If you're still considering a card to buy: stay away from these cards, get a FunCard instead.

Card Type: FunCard

Target: Satellite Pay TV

Also known as: ATMELCard, FunCard, FunCard 2, Funcard 3, FunCard 4, FunCard 5, Funcard 6, Purple Galaxy, Prussian, Prussian2 and Prussian3.

The FunCard is loved for it's large memory and faster processor (Atmel 90S8515). It is said that the Atmel helps making switching channels faster - although this is not the only factor determining the zapping speed! For example on the Strong SRT8000: The FunCard is MUCH slower than the GoldCard. I assume the firmware (usually modified) of the receiver is also an important factor in this story.

Although the ATMEL 90S8515 has it's own internal EEPROM, many cards use external memory since it can offer more memory space. Default the 90S8515 has already 8 KiloByte internal memory, so why one would like to have the additional EEPROM ... beats me.

FunCard examples

On the left, in the image above, you will see an SMD version of the FunCard. They come with and without led's which flash up while the card is being accessed. Pretty cool. Again the larger chip is the processor and the smaller one on the right is the EEPROM.

The second card, the purple one is a integrated plastic version of the FunCard. These two traditional Funcards have a 24C64 (8 Kilobyte) EEPROM.

The third card, the "Open Platform" card, is an example of the FunCard 6, which offers 128 KiloByte of memory.
The last one is a so called FunCard 4 or Prussian 2 card, offering 32 KiloByte of memory.

Other AVR Cards

Target: Satellite Pay TV

There are a lot of different AVR (FunCard like) cards out there;

The AT-Mega card, offers an ATMEL processor (the ATMega 163) and a 32 KiloByte EEPROM. Not (yet) a commonly used card.

AT-Mega FunCard

FunCard DIP or DIL; This card is a FunCard card, holding 8 kilobyte of memory and ATMEL AT90S8515. The only difference is that the chips onboard are in DIL format, which means that you can remove and place the chip as you see fit without soldering and allowing you to insert it into a separate programmer. Not sure what the use of this might be ... but hey ... it's there ...

AVR-3 Card; this is one of the fastest FunCard variants available. It also hold an ATMEL processor and a 32 Kilobyte EEPROM. The good part of this card, besides speed, is that with the jumpers on this card you can switch modes (FunCard, XL and Extra, although I have no clue what this implies). I have no knowledge in detail what these cards additionally offer.

SuperPic Zen card; This is card is equipped with a PIC type processor (18F452) and a 32 KiloByte EEPROM.

Card Type: Generic Memory Cards

Target: commony used to store personal data, rewards/loyalty applications, etc.

Some of the GemPlus models: GemClub-Memo, GPM103, GPM256 (T1G), GPM2K, and GPM8K.

Generic MemoryCards by GemPlus

These cards allow storage of data on a SmartCard in a simple way. Most of these cards are based on the Infineon chip SLE4442 and have either 2 or 8 KiloByte of memory. These card (model depending) are more or less "protected".

Card Type: Advanced Memory Cards

Target: primarily used for prepaid telephone card applications, but it can also be used in closed payment schemes such as parking, transport, vending...

Some GemPlus models are: GAM275 (T2G), GAM326 (EuroChip II), GAM375 (T2G+).

Advanced MemoryCards by GemPlus

These card are very similar to the Generic Memory Cards, however major improvements over these, including active authentication with Security Application Module, pull-out management capabilities, and user data areas.

Card Type: MicroProcessor cards

Target: Debit/Credit cards, E-purse, payement systems, GSM/CDMA SIM cards ...

Some of the GemPlus model are: GemClub-Micro, MPCos and GemPlus Xplore series.

MicroProcessor cards

These cards have a very wide range of application, check out the GemPlus website for more details.